1, shown in FIG TSL communication link
protocol version supported, such as tls 1.2
client generates a random number, used later to generate a "session key"
encryption algorithm list supported
compression algorithms supported by
the second stage: ServerHello
confirmation used for encrypted communication protocol version, such as tls 1.2
server generates a random number used to generate a "session key" later
to confirm the encryption method used in
the server certificate
third stage:
the client validates the server certificate (issuing agency checks, integrity of the certificate, the certificate holder, the certificate is valid, revocation list), which is removed after the public key confirmation
sends the following information to the server:
generating a third random number (pre-master-key), encrypted with the public
change notification code, means that the subsequently the information will be sent with a mutually agreed encryption method and key
client handshake completion notification
fourth stage:
the server with its own private key to decrypt the information sent from the client to obtain a third random number (pre-master-key after), calculate the cost of raw session times used "session key"
sends to the client the following information:
encoding change notification It signifies that the following information will be sent with a mutually agreed encryption method and key
Server handshake completion notification
subsequent sessions on the use of the session key is encrypted.
2, how to make a self-signed certificate browser identification of
The establishment of a private CA: generating private keys; ~] # (the umask 077 ; OpenSSL genrsa - OUT / etc / pki / CA / Private /cakey.pem 4096 ) to generate a self-signed certificate; ~] # OpenSSL REQ - new new -x509--key / etc / pki / CA / private /cakey.pem - OUT /etc/pki/CA/cacert.pem -days 3655 - new new : create a new certificate signing request; - X509: generate a self-signed certificate format, when you create a dedicated private CA ; - Key: private file path used when generating the request; - OUT : generated request file path; if self-signed operation will directly generate a certificate signed off; - Days: effective duration of the certificate, the unit is day; for the CA to provide required directories and files; ~] # mkdir -pv / etc / PKI / the CA / {certs, CRL, newcerts} ~] Touch # / etc / PKI / the CA / {Serial, index.txt} ~] # echo 01 > / etc / PKI / the CA / Serial after the certificates into the browser to
3, set up DNS server
(1) install the DNS server software
root user performs the install the bind yum
(2) Configuration related profiles
(2.1) First, the primary DNS configuration file /etc/named.conf
Options {
the listen-ON {Port 53 is the any;}; listening port and which host can access resolution, any represents all
directory "/ var / named"; database file directory location
allow-query {any;}; which allows the host to request query
recursion yes; sees itself as a client query
. "" Zone the iN {
type hint ;
File "the named.ca";
};
Zone "magedu.com" {the IN
type Master;
File "magedu.com";
}
Zone "99.168.192.in-addr.arpa" {the IN
type Master;
File "the named. 192.168.99 ";
}
Wherein the back zone to keep the domain name to be resolved, when the resolution is the domain name itself forward as a reverse IP network .in-addr.arpa reverse parsing
type: the type of zone, hint for the roots; primary DNS is the master ; from DNS for the slave; domain forwarding forward
file file name of the zone of
(2.2) the domain name parsing library file
being analytical file: /var/named/magedu.com
$ TTL 86400
. @ SOA ns1.magedu.com the iN ADMIN .magedu.com. (2019011301
IH
5M
1W
86400)
@ the IN ns1.magedu.com the NS.
@ 10 mail.magedu.com the IN the MX
NSl the IN A 192.168.99.110
WWW the IN A 192.168.99.110
the IN A 192.168.99.111 WWW
FTP 192.168.99.110 the IN A
Web FTP a CNAME the IN A
Description: TTL survival i.e., SOA represents the start validation, ns1.magedu.com represents the primary domain name server domain, admin.magedu.com expressed. administrator e-mail address (.. here in the e-mail address instead of @ common mail addresses with)
the next five fields in parentheses denote: a modified version of the serial number of the configuration file, refresh time, retry time, expiration time, cache time
NS represents the DNS domain name servers, MX express mail server behind the MX digital domain is the priority, a represents the DNS records to forward IP host
CNAME ftp expressed previously defined using the web like ftp resolve the destination IP address, that is an alias
Reverse lookup file: /var/named/named.192.168.99
$ 86400 the TTL
. @ Ns1.magedu.com the SOA admin.magedu.com the IN (2,019,011,301.
IH
5M
1W
86400)
ns1.magedu.com the NS @ the IN.
110 . the PTR ns1.magedu.com the IN
110 the IN the PTR WWW
. www.magedu.com the PTR the IN 111
110 the PTR FTP the IN
DESCRIPTION: just add the IP address of the first column to the last paragraph, PTR indicates reverse analysis
(3) to restart the DNS service
CD # / var / the named
# chown the named: the named named.192.168.99 magedu.com
# the named the restart-Service
(. 4) test DNS
Use dig to test
# dig -t A www.magedu.com @Server forward resolution
#dig -t PTR 192.168.99.110 @Server reverse lookup
-t followed by the type of representation
4, familiar with the analytical type of DNSPOD
(. 1) A record: a domain name at the address ip
(2) CNAME record: the domain name to point to another domain, then the ip address provided by another domain
(3) MX records: set the mailbox, the mailbox so receive messages
(4) TXT record: identification and description of the domain name, the vast majority of TXT record is used to make an SPF record (anti-spam)
(5) implicit / explicit URL record: a domain name to point to another existing site, you need to add the URL record
recessive forward: use the iframe framework technology, non-redirection; effect browser address bar enter http://a.com press enter to open the site is the destination address http : website content //www.dnspod.cn, but the address bar displays the current address http://a.com. If the target address can not be nested, it can not be used to forward recessive (e.g., QQ space, can not use the forward recessive).
Explicit Forward: using a 301 redirect technology; effect browser address bar enter http://a.com press Enter to open the site is the destination address http://www.dnspod.cn website content, and address column shows the destination address http://www.dnspod.cn.
(6) AAAA record: Access your domain name through IPv6 address
(7) NS record: the target domain name to other service providers to resolve DNS
(8) SRV Record: used to identify a server using a service, common in Microsoft Catalog management system